opera.general
[Top] [All Lists]

Re: CAcert and Opera

Subject: Re: CAcert and Opera
From:
Date: Sun, 7 Dec 2008 12:39:17 -0700
Newsgroups: opera.general

"Yngve Nysaeter Pettersen (Developer, Opera Software A/S)"
<yngve@xxxxxxxxx> wrote:

> On Sun, 7 Dec 2008 11:08:41 -0700, gene@xxxxxxxx wrote:
> 
> >gene@xxxxxxxx wrote:
> >
> >> I had a thread going on VideoLan's (VLC Player) forum,
> >> forum.videolan.org,  and everytime I used the link to a reply in Opera
> >> it requests approval of a certificate (CAcert).  The warning is that the
> >> cert chain is incomplete and the signer(s) are not registered.  In
> >> asking about it, I was sent to the CAcert site, which among other
> >> things lists the browsers that include this certification; Opera is not
> >> among them (http://wiki.cacert.org/wiki/InclusionStatus).  Why is
> >> that?  I hadn't heard prior to this of end users having to register to
> >> get certificates.
> >
> >In looking at that list again and reading around more, it seems like
> >there are a number of hurdles and costs for browsers to jump to get
> >CAcert, and Mozilla/Firefox's status is still up in the air. Does that
> >mean for CAcert-affiliated sites, individual Opera users will have to
> >run the certification approval each time indefinitely?
> 
> You should only get the warning once per server per session of Opera, although
> you can pin the certificate for that server (option on the middle tab of the
> dialog in 9.50+ if you decide you trust the site).
> 
> There are quite a few hoops for the CAs to jump through to get into a browser
> root program. See http://www.opera.com/docs/ca/ for more.
> 
> If decide you trust CACert's certificate issuing policies, and want to accept
> ALL the certificate they have issued, you can install their Root and Class 3
> certificates yourself for your profile (remember to click "View" and uncheck
> "Warn about this certificate"). As I have not, as mentioned, studied their
> policies, nor know of any results of a WebTrust or equivalent ETSI audit,  I 
> can
> only say you need to look carefully at those documents.
> 
> Please note that I have recently become aware of two problems with CAcert:
> Neither of their revocations services work with Opera 9.50+. The OCSP server
> does not comply with the RFC's requirements (this is easy to fix serverside;
> just upgrade the server), and the CRL is (unnecessarily) hosted on a HTTPS
> server requiring the CRL that we are trying to fetch first, causing a Catch-22
> situation (this can only be fixed with a reissue of their Root; I can also
> alleviate it to some extent but that requires recoding the CRL handling). 
> Either
> of these two problems will cause you to not see a padlock under any 
> circumstance
> with CAcert issued certificates with Opera.
> 

Thanks to both of you for answers.

<Prev in Thread] Current Thread [Next in Thread>